how to set remoteuser

Re: how to set remoteuser

Hardik Shah wrote:
> hi
> we can get remoteuser using request.getremoteuser() but how we can set it?
>
> -----
>

One approach is to wrap the request object. Create a Filter, decorate
the HttpServletRequest with one the implements setRemoteUser() and
delegates all other methods to the original. When getRemoteUser is
invoked it checks it's local value first and if not set delegate to the
wrapped request object. Only your code needs to be aware of the special
implementation in order to set the remote user.

A proxy of HttpServletRequest that does the same thing may also be
possible. Not sure...

A better approach is to use the container's authentication as intended
so the remoteUser is managed by it..

Re: how to set remoteuser

Hardik Shah wrote:
> my first and last goal about that i want to maintain single sign on without
> storing user information in session
> i have also integrated hibernate with it ,can i use for achieve somthing
> like or not?
>
>
>

Do you mean single sign-on as in across multiple domains or webapps? If
so, this will probably be container specific.

If you mean a stateless authentication approach (ie. they sign in once,
then each subsequent request includes the credentials so you don't have
to maintain a session for them), then:
- use HTTP basic (or digest) so the browser must authentic each request
- this will need to be setup in your container
- if you use a JDBC realm, then, with tomcat at least, you can allow
tomcat to access the tables directly and use your own webapp to
add/remove users in those tables.

To avoid the terrible browser pop-up for credentials:
- if the user has javascript, perform login via an asynchronous request;
- if the user doesn't have javascript, allow the container to redirect
them to a plain old J2EE login page

When you have a HTTP server in front of your J2EE container it gets a
little more complicated; I'm not too sure about that.

This isn't as trivial as it should be. There may be a better approach.

Re: how to set remoteuser

>
> Jeromy Evans - Blue Sky Minds wrote:
>
>> Correct. It's not as bad as it first seems if you manage the entries in
>> the two tables (for tomcat) yourself.
>> Otherwise the next step is a third party library like Spring Security.
>>
>>
>>
>>
>
> try to use jdbcrealm but when submit
>
> gives error like
>
> HTTP Status 400 - Invalid direct reference to form login page
>
> finding solution from 2 days ,even no good tutorial found for that ,i
> surprised why this topic not included in struts 2 tutorial
>

Get it to work without a login page first. Just allow it to popup with
the browser dialog and for the container to authenticate via JDBC. When
that works, investigate how to configure you container to redirect to a
login page.

I suspect most users implement their own custom authentication strategy,
which means the Principle isn't valid, or they use Spring Security.

Re: how to set remoteuser

he he, that's also a major decision if you want to go down that path.
I don't recommend jumping after whichever approach seems least effort
(btw, your original approach to use a realm or not using the principal
at all is least initial effort if you don't want to learn another
framework).

You can't just switch from spring to guice to no DI. framework. You have
to pick one and take the time to learn it I'm afraid :-). Learning
J2EE's security, spring's security or guice+warp are time well spent.

Re: how to set remoteuser

yes you are right !
i just confused bcoz showing various aspects

Jeromy Evans - Blue Sky Minds wrote

he he, that's also a major decision if you want to go down that path.
I don't recommend jumping after whichever approach seems least effort
(btw, your original approach to use a realm or not using the principal
at all is least initial effort if you don't want to learn another
framework).

You can't just switch from spring to guice to no DI. framework. You have
to pick one and take the time to learn it I'm afraid :-). Learning
J2EE's security, spring's security or guice+warp are time well spent.